Analysis of Corporate Privacy Practices

Analysis of Corporate Privacy Practices

Presentation by Dr. Larry PonemonCEO, Privacy Council

Workshop on the Relationship between Privacy & SecurityCarnegie-Mellon University, May 29, 2002

Proposed Agenda:

• The drivers to privacy

• The impact of 9/11 on corporate privacy compliance initiatives

• Review of corporate privacy management practices

A “Right” to Privacy?

Do You Have a Right to:

Control information collected about you and your family?Control how that information is being used?

Have access to review your personal information? Have the ability to change incorrect information?

How Bad Does it Get?

• Story: In Arizona, about 100 members of a retirement community were

given “free” personal computers, full access to the Internet and a basic

‘hands-on” training program.

• Sounds too good to be true?

• Real deal is about providing significant information about yourself and your

immediate family (children, grandchildren and so forth).

• So, who has the choice now? What recourse do these people have. And,

how about our relatives who had their privacy violated?

Fact . . .

• A recent analysis of major organizations show that less

than 24% of companies in the United States are in

“reasonable” compliance with their stated Internet

privacy policy.

• Far fewer companies would be able to comply with the

provisions of new regulations,laws and standards

around the world.

Why is Privacy a Hot Issue?

• Post 9/11 – Surveillance society• Growing misuse of personal (sensitive information)• Exponential growth in identity theft• Increased regulatory oversight• Press and media coverage• Aggressive advocacy

Notice and Awareness: Information collection practices Usage and sharing

Choice and Consent:Opt-in and opt-out policies and methods

Access and Accuracy:Right to view, modify or delete relevant information

Reasonable Security:Ensuring the integrity and protection of data

Redress and Enforcement:Including dispute resolution mechanism

Review: The “Ethical” Principles

Post 9/11 Impact on Privacy and Surveillance

• Authentication has become major focus

– Something that the company has about you usually in the form of individuated data (mother’s maiden name)

– Something that your carry in your wallet, computer or PDA (smart card)

– Something that defines you such as a finger print, and facial scan, (biometrics)

Better authentication reduces both privacy and security risks, but only if the credentialing process is nearly perfect.

Post 9/11 Impact on Privacy and Surveillance

• Security has become dominant over privacy

– The focus on stopping the “bad guy” from getting inside the critical infrastructure or gaining access to assets

– Privacy rights are still important, but not at the cost of diminishing security and public safety

– New surveillance methods draw upon multiple sources of customer-centric information creating a potential privacy blow-up if this personal information is not protected or managed properly.

Factors Increasing Post 9/11 Privacy Risks• Growing use for personal information

• Over-reliance on new biometric and surveillance technologies (increasing misclassification risk, false positives)

• Lax controls over personal information used for surveillance

• Increased information sharing practices among organizations, without proper control or consistent application

• Limited or fragmented regulatory enforcement of privacy

• Lack of awareness, understanding or general complacency about the continued need for privacy

The New Surveillance Society

Growing concerns for most people:• Who is watching me?

• Who is watching the watchers?

• Do individuals have a choice?

• How will surveillance data (negative data) be used and/or shared?

• What are the long-term consequences to our rights to privacy (and what are the costs to business)?

Regulations and Industry Initiatives• Financial Services Gramm-Leach-Bliley Act (GLBA)

• Health Care - Health Insurance Portability and Accountability Act (HIPPA)

• Children’s Online Privacy Protection Act - COPPA

• Federal Trade Commission

• EU Data Protection Directive

• New Canadian Regulations - PIPEDA

• Proposed Bills for Internet, Government and Financial Services

• Over 400 State bills (including recent legislation in Vermont)

Beyond Regulation• Consumer concerns are costing business in terms of lost

sales, market value and potential litigation

• Strong and well funded advocacy groups have major impact on corporate reputation

• Privacy concerns are not independent of national boundary and culture

• Privacy regulation is creating large demand for privacy enabling technology such as P3P

• Privacy issues create real social and ethical risk

Consequences . . .• Many companies have become paralyzed by the proverbial

privacy storm.

• Privacy advocates and regulators are quickly turning their attention to off-line companies with respect to the sale of personal (sensitive) information.

• The largest area for potential abuse concerns telephony and the wireless web, which many take years to get off the ground because of regulatory groundswells.

• But, most companies are still complacent about privacy risk

What Makes a Privacy Policy Work?

Setting the Tone of the Program• Understanding your business and data management environment

• Focus program on identified risk areas

– Avoid the “CYA” orientation

– Avoid too much control over behavior

• Get commitment from senior executives and the Board

• Get input and buy-in from all key stakeholders

• Avoid the “one size fits all” syndrome

– Privacy policy needs to fit corporate culture

– Decentralized environment may require separate policies

• Make sure that you “walk-the-talk”

Establishing Governance• Establish privacy leader and organizational sponsor

– Assigned the title Privacy Officer

– High-level reporting responsibility to the CEO• Establish cross-functional committee composed of key stakeholders,

including:– Legal

– Marketing/CRM

– Human Resources

– Corporate Compliance

– Regulatory Affairs and Public Relations

– Information Technology

– Security

Writing the Policy

• Start with pledge of the CEO and Board

• Define overarching principles

• Keep sections clear and concise

• If possible, avoid legalese

• Include examples and short cases

• Explain the redress process

• Define what is meant by personal accountability

Five Typical Policy Components

• Requirements and process for fair disclosure and proper notice

• Opportunity to provide individuals with choice or consent to data capture, secondary usage and sharing

• Pledge of reasonable security and data protection efforts over all personal (private) information

• Opportunity to access personal information (and correct identified errors)

• Pledge of reasonable redress and dispute resolution process for individuals

Vetting the Privacy Policy

• Get buy in from business unit leaders

• Hold workshops with groups of employees to determine understanding and usefulness

• Revise document based on legitimate issues and concerns raised by stakeholders

• Get finalized approval from the Board

• Send policy to all employees, contractors and business partners

• Think about external disclosure (on Web sites and other public venues)

Benchmark Results on Privacy Policy

Corporate Privacy Policies PercentLess than 10 printed pages 72%Identify all fair information practices 19%Contain letter from the CEO or Board 21%Contain examples & illustrations 9%Simple, easy to read language 8%Translated into multiple languages 15%Section on employee privacy issues 24%Explanation of redress process 12%

Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing information on their corporate ethics programs used to determine the existence, coverage and effectiveness of program efforts on a global basis

“Most people don’t do what they believe in, they just do what’s most convenient -- and then they repent.”

Source: Bob Dylan.

“Most people don’t do what they believe in, they just do what’s most convenient -- and then they repent.”

Source: Bob Dylan.

Reality CheckReality Check

Privacy Management Process

What is the Privacy Management Process?What is the Privacy Management Process?

“A management process comprised of compliance programs and systems designed to motivate, measure, and monitor the organization’s privacy and data protection practices.”

“A management process comprised of compliance programs and systems designed to motivate, measure, and monitor the organization’s privacy and data protection practices.”

Process Management

Including performance-based measurement, scorecards, external verification and crisis management plan

Training

Including classroom based training, facilitated training, and e-learning programs for all employees who handle sensitive personal information

Ongoing Monitoring

Including formal process for identifying privacy and information security risk and vulnerability areas within core business units

Communications

Including policies, corporate communications, employee handbooks, and compliance procedures

Enforcement

Including the formal mechanism and due process for evaluating privacy and

data protection blow-ups

The Privacy Management Process

Building an Effective Privacy Management Process

• PMP helps to identify and reduce the most salient cases of privacy compliance and data

protection risks.

• PMP helps to make policies real and meaningful to employees and other key stakeholders.

• PMP helps people to learn about their role in managing privacy and in protecting sensitive

personal data within the organization.

• PMP serves as a tool to foster feedback and learning for employees and managers.

• PMP fosters climate and cultural change with respect to accountability and empowerment.

Measuring the Effectiveness of the Privacy Management Process

• Develop process performance benchmarks and guidelines that can be verified (perhaps by independent third-party).

• Use drill-down approach to assess privacy and data protection risk at the core business process level.

• Develop performance indicators that focus on the antecedents to privacy and data protection risk.

• Used “balanced scorecard” approach to measuring improvements and establishing accountability.

Performance Indicators for Privacy Management Process

• Objective Measures

– Existence of PMP

– Training coverage

– Understanding and knowledge

– Compliance breaches

– Customer complaints

– Customer churn

– Litigation

• Perception Measures

– Quality of policy

– Beliefs about program

– Culture toward compliance

– Consumer trust

– Reputation

– Pressure to bend the rules

What Companies areDoing Today

• Privacy policy with limited training or awareness activity during rollout phase

• Governance model using cross-functional committee

• Basic education program, often using e-learning technology to disseminate information and test understanding

• Minimal downstream communication efforts

• Appointment of a high level executive as the “ privacy officer” often with unclear reporting lines

• Limited monitoring or assessment of compliance-related risks

What Companies are Doing Today

Benchmark on Privacy Practices

Privacy Management Practices PercentPrivacy policy 91%Fully dedicated privacy officer 25%Formal budget authority 32%Formal training program for employees 35%Due diligence process 21%Formal monitoring program 19%Global focus 13%Formal dispute resolution process 12%Use of enabling technologies 15%Integration with information security team 18%Employee privacy program 20%Board-level involvement 5%

Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing information on their corporate ethics programs used to determine the existence, coverage and effectiveness of program efforts on a global basis

Benchmark by Industry Classification

Industry Analysis PercentFinancial Services 55%Telecom/Communications 47%Health Care 13%Manufacturing 11%Retail 50%

Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing information on their corporate ethics programs used to determine the existence, coverage and effectiveness of program efforts on a global basis.

Companies in each industry category scored “yes” to 4 or more benchmarks (of the 12 shown on the previous slide).

Best Practices for Global Corporations

• Integration with information security team

• High-level reporting to the CEO with periodic reports to the Board

• Use of enabling technologies such as P3P

• Empowering local privacy managers

• Real budget authority

• Black Belt training orientation

• Redress program with real powers to investigate and enforce

• Internal monitoring of privacy program (and mock regulatory audits)

• Third-party verification

• Good quality disclosure

• Greater use of choice (such as opt-in approach for sensitive information)

• Use of insurance to mitigate privacy and data protection blow-ups

• Balanced approach to data collection for marketing and other uses

Questions & AnswersPresentation by Dr. Larry Ponemon

CEO, Privacy Council(972) 997 4016

Larry.ponemon@privacycouncil.com